Category: Security

Sep 20 2016

Unregulated at Any Speed: DoT’s Cybersecurity Policy for Self-Driving Cars

Despite headlines, hype, and hysteria, U.S. Government rightly chooses cybersecurity guidance over regulation

The Obama Administration today unveiled its long-awaited safety policy for self-driving or automated vehicles (AVs). Despite the recent tragic death of a passenger travelling in a Tesla-built AV, and persistent discussions of spectacular cyber-sabotage scenarios, the government chose a wise, sober course in regards to cybersecurity.

The U.S. Department of Transportation and National Highway Traffic and Safety Administration (NHTSA) opted to work with industry to drive AV innovation, rather than propose regulations that could restrict such innovation, and even potentially undermine the cybersecurity of such vehicles.

DoT’s four-point policy seeks to lay “a path for the safe testing and deployment of new auto technologies” with life-preserving and resource-conserving potential for the American people. Specifically, the policy presents a model for Federal and State regulatory responsibilities, outlines NHTSA’s AV regulatory tools, and proposes new regulatory tools and statutory authorities.

In the area of safety however, the government presents a 15-Point Safety Assessment Guidance, including everything from consumer education, to data recording and privacy, to human machine interfaces, to crashworthiness, to our primary concern: vehicle cybersecurity.

Following is an excerpt from the policy document’s guidance:

 “While [cybersecurity] is an evolving area and more research is necessary before proposing a regulatory standard, entities are encouraged to design their HAV systems following established best practices for cyber physical vehicle systems. In particular, entities should consider and incorporate guidance, best practices, and design principles published by National Institute for Standards and Technology (NIST), NHTSA, SAE International, the Alliance of Automobile Manufacturers, the Association of Global Automakers, the Automotive Information Sharing and Analysis Center (Auto-ISAC) and other relevant organizations.

As with safety data, industry sharing on cybersecurity is important. Each industry member should not have to experience the same cyber vulnerabilities in order to learn from them. That is the purpose of the Auto-ISAC, to promote group learning. To that end entities should report any and all discovered vulnerabilities from field incidents, internal testing, or external security research to the Auto-ISAC as soon as possible, regardless of membership. Entities involved with HAVs should consider adopting a vulnerability disclosure policy.”

 

This afternoon, Intel Security CTO Steve Grobman commented that the choice of cybersecurity guidance reveals an Obama Administration “highly-supportive” of AV technology and the cybersecurity innovation required to protect it:

“In choosing guidance over regulation, the Administration showed itself to be both industry supportive and tech savvy. They’ve focused on best practices and the Auto-ISAC threat analysis and vulnerability sharing between automakers and component manufacturers.

They clearly understand that the critical cybersecurity challenge in self-driving vehicles will be tackling the threats of today and tomorrow—versus the threats of five years ago.

There’s always a concern that government regulations may stifle the ability of innovators to innovate, whereas guidance tends to create an ongoing, constructive, even progressive dialogue between stakeholders.

But one of the greatest challenges of cybersecurity is that a regulation-based approach to protection never keeps up with the rapid pace of a changing cyber-threat landscape. New threats and vulnerabilities come to light each month.

Well-meaning regulatory regimes can force an opportunity cost upon manufacturers, as limited resources best applied to address today’s most critical threats can be spent wrestling with restrictions meant to address older issues long after they are critical security concerns.”

 

For more on Intel Security’s perspectives on and technology commitments to vehicle cybersecurity, please see our recent whitepaper and announcements around the Automotive Security Review Board (ASRB).

To learn what ordinary everyday people should know about the cybersecurity of connected cars and driverless vehicles, please see Gary Davis’ blog entitled From the Ground Up: How the Cars of the Future Will Be Secured.

 

Members of the press interested in speaking to Mr. Grobman on this topic may do so by contacting chris.palm@intel.com.

 

The post Unregulated at Any Speed: DoT’s Cybersecurity Policy for Self-Driving Cars appeared first on McAfee.

Sep 20 2016

New York Proposes First-in-the-Nation Cybersecurity Regulation for Financial Institutions

On September 13, 2016, the New York Department of Financial Services introduced a new rule that would require banks, insurance companies and other financial institutions regulated by the Department to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety of New York’s financial services industry.  The proposed regulation is subject to a 45-day notice and public comment period, following the September 28, 2016 publication in the New York State register before final issuance.

Under the proposed rule, regulated financial institutions would be required to:

  • Establish a cybersecurity program;
  • Adopt a written cybersecurity policy;
  • Designate a Chief Information Security Officer responsible for implementing and overseeing the new cybersecurity program and policy; and
  • Have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to third-parties.

Establishment of a Cybersecurity Program

According to the proposed rule, regulated financial institutions will need to establish a “cybersecurity program designed to ensure the confidentiality, integrity and availability of information systems that performs five core cybersecurity functions:”

  • Identification of cyber risks.
  • Implementation of policies and procedures to protect unauthorized access / use or other malicious acts.
  • Detection of cybersecurity events.
  • Responsiveness to identified cybersecurity events to mitigate any negative events.
  • Recovery from cybersecurity events and restoration of normal operations and services.

Additional requirements for each “cybersecurity program” include:

  • Annual penetration testing and vulnerability assessments.
  • Implementation and maintenance of an audit trail system to reconstruct transactions and log access privileges.
  • Limitations and periodic reviews of access privileges.
  • Written application security procedures, guidelines and standards that are reviewed and updated by the CISO at least annually.
  • Annual risk assessment of the confidentiality, integrity, and availability of information systems; adequacy of controls; and how identified risks will be mitigated or accepted.
  • Employment and training of cybersecurity personnel to stay abreast of changing threats and countermeasures.
  • Multi-factor authentication for individuals accessing internal systems who have privileged access or to support functions including remote access.
  • Timely destruction of nonpublic information that is no longer necessary except where required to be retained by law or regulation.
  • Monitoring of authorized users and cybersecurity awareness training for all personnel.
  • Encryption of all nonpublic information held or transmitted.
  • Written incident response plan to respond to, and recover from, any cybersecurity event.

Adoption of a Cybersecurity Policy

The new rule would require regulated financial institutions to adopt a written cybersecurity policy, setting forth “policies and procedures for the protection of their information systems and nonpublic information that addresses, at a minimum, the following:”

  • Information security.
  • Data governance and classification.
  • Access controls and identity management.
  • Business continuity and disaster recovery planning and resources.
  • Capacity and performance planning.
  • Systems operations and availability concerns.
  • Systems and network security.
  • Systems and network monitoring.
  • Systems and application development and quality assurance.
  • Physical security and environmental controls.
  • Customer data privacy.
  • Vendor and third-party service provider management.
  • Risk assessment.
  • Incident response.

Creation of Chief Information Security Officer

The new rule would require regulated financial institutions to designate a qualified individual to serve as a CISO, responsible for “overseeing and implementing the institution’s cybersecurity program and enforcing its cybersecurity policy.”  The new rule also would require the CISO to “report to the board, at least bi-annually to:”

  • Assess the confidentiality, integrity and availability of information systems.
  • Detail exceptions to cybersecurity policies and procedures.
  • Identify cyber risks.
  • Assess the effectiveness of the cybersecurity program.
  • Propose steps to remediate any inadequacies identified.
  • Include a summary of all material cybersecurity events that affected the regulated institution during the time period addressed by the report.

Third Party Protections

The new rule also would require regulated financial institutions to have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties, including the following:

  • Identification and risk assessment of third-parties with access to such information systems or such nonpublic information.
  • Minimum cybersecurity practices required to be met by such third-parties.
  • Due diligence processes used to evaluate the adequacy of cybersecurity practices of such third-parties.
  • Periodic assessment, at least annually, of third-parties and the continued adequacy of their cybersecurity practices.

A draft of the proposed rule is here.

Sep 20 2016

Researchers wirelessly hit the brakes in a Model S, Tesla patches quickly

Researchers from Tencent's Keen Security Labs totally hack the Tesla S over Wi-Fi.

Security researchers at the Chinese Internet company Tencent's Keen Security Lab privately revealed a security bug in Tesla Model S cars that allowed an attacker to achieve remote access to a vehicle's Controller Area Network (CAN) and take over functions of the vehicle while parked or moving. The Keen researchers were able to remotely open the doors and trunk of an unmodified Model S, and they were also able to take control of its display. Perhaps most notably, the researchers remotely activated the brakes of a moving Model S wirelessly once the car had been breached by an attack on the car's built-in Web browser.

Tesla has already issued an over-the-air firmware patch to fix the situation.

Previous hacks of Tesla vehicles have required physical access to the car. The Keen attack exploited a bug in Tesla's Web browser, which required the vehicle to be connected to a malicious Wi-Fi hotspot. This allowed the attackers to stage a "man-in-the-middle" attack, according to researchers. In a statement on the vulnerability, a Tesla spokesman said, "our realistic estimate is that the risk to our customers was very low, but this did not stop us from responding quickly." After Keen brought the vulnerability to Bugcrowd, the company managing Tesla's bug bounty program, it took just 10 days for Tesla to generate a fix.

Read 1 remaining paragraphs | Comments

Sep 20 2016

Mozilla Releases Security Updates

Original release date: September 20, 2016

Mozilla has released security updates to address multiple vulnerabilities in Firefox and Firefox ESR. Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.

Available updates include:

  • Firefox 49
  • Firefox ESR 45.4

Users and administrators are encouraged to review the Mozilla Security Advisories for Firefox and Firefox ESR and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.